For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Anthony_Vaz_547's avatar
Anthony_Vaz_547
Icon for Nimbostratus rankNimbostratus
Feb 10, 2010

Is this a bad idea...

Hi guys   Curious on your thoughts on this please?     We traditionally have a setup where we may have web application servers and database servers in our corporate network.   ...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Feb 10, 2010
Hi Anthony,

 

 

Without native character and path normalization functionality (or user-defined functions?) in iRules, I don't think it's a good idea to try to use iRules to perform HTTP security validation. It's quite simple to bypass most iRule URI validation with encoding/directory traversal attacks. See this post for details:

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3090031324

 

 

ASM can definitely provide good validation and protection. But I don't think iRules should be depended on for now for this scenario.

 

 

Aaron